Please fill out Intern Mike's survey for which locations and what SANS Mentor-led courses you'd like to see in the Boston-area.

Tech Segment: MiniPwner (TP-Link TL-WR703n Pen Testing Drop Box)

Background

The MiniPwner is a pen-testing drop box. Prior to the MiniPwner we were using a Pwnie Express or an Apple travel router as drop boxes during physical penetration tests. But these solutions depended on a known IP addressing scheme or DHCP, a power outlet near an open network port, and unfiltered Internet access. My wish list for a home-built drop box was a router that was small, inexpensive, OpenWRT supported, had wired and wireless interfaces, had space for a USB drive, and could be battery powered, all without soldering or custom firmware. The WR703N router had recently become available and OpenWRT supported and seemed to be a perfect fit.

What Makes it Cool

TL-WR703N is cheap (under $25)

Small but powerful - Wired, Wireless, USB, battery power

No need to compile firmware or do any soldering to build a MiniPwner

Flexibility - add whatever packages you desire

MiniPwner Build Overview

What you'll need:

TPLink TL-WR703N (or the slightly larger TL-MR3020)

USB flash drive (I like the low profile Cruzer Fit drives)

Battery Pack (I get the Sharper Image charger kit)

Ethernet cable, velcro

High Level Build Steps
1) Download the current OpenWrt firmware from downloads.openwrt.org or the 5/14/2012 "Derbycon" build off minipwner.com.
2) Use the web interface of the factory firmware to flash the router
3) Configure the Network
4) Mount the USB Drive
5) Download and install security packages

The "DerbyCon" build uses the nightly snapshot from 5/14/2012 with a couple mods. A custom build script can be found in /user/share after the firmware is applied, and Reaver has been added to the packages repository. It is the only build I know of with Dsniff, Kismet and Reaver all working.

Stories

Paul's Stories

US-CERT: Samsung Printer Firmware Contains Backdoor - Oh, and here is the MIB This is one giagantic flaming pile of crap. The entire thing, from firmware to vulnerability disclosure, it all sucks. So, once upon a time a developer decided it would be a good idea (likely sometime in 2004), to add in an SNMP backdoor. This means the device will listen on UDP port 1118 for SNMP traps. The same password of "s!a@m#n$p%c" will get you in and allow you to read (and write?) via SNMP. Samsung came out and said there was a vulnerability, and it affected Dell printers too. Samsung said they would produce a fix before the end of the year. They did not release the models that are vulnerable. Then they said they would have a fix for us tomorrow. In the mean time, they've pulled all the firmware downloads from their site. What are you hiding Samsung? What, you don't want us to know just how deep and wide your problems with firmware go? Now you've caught my attention, and the attention of lots of other firmware reverse engineering curious type people. I'm still on a mission to improve the security of embedded systems, and this is one reason why. I agree with some of thecomments on Twitter, we are all to blame. Developers are to blame, users, and security folks for not working together and fixing the problem.

NEOHAPSIS - Security Advisory - TP-LINK TL-WR841N LFI - Just an FYI, this does not require a password to execute, its sorta like an LFI with a splash of authentication bypass. Not only that, but the web user can read the freaking /etc/shadow file according to the advisory. Holy face palm batman!

Belkin wireless routers weak key - Who thinks its a good idea to base the default key on the MAC address? Really? Just stop, don't put a default WPA/WPA2 key on the device. Let the user enter it, make a wizard or something. If the user can't figure out how to enter a password, they shouldn't use wirless. If they really want to use wireless, they should call the geek squad or something.

Backdoor found in Piwik analytics software - Update - The H Security: News and Features - Guess how the backdoor got there? If you guessed a vulnerable Wordpress plugin you won the lottery! (Not really, someone from the midwest and Arizona won, congrats to you, lets see how long before you go broke, crazy, or dead, and not in that order). I wonder if it was the Wordfence plugin, thats a security plugin that contains an XSS vulnerability. Think they could be more like Yahoo! and not have stupid XSS vulnerabilities, oh wait, nevermind.

Yahoo XSS exploits going for $700 - Yep, Yahoo! has XSS, could be fun to exploit this one, steal cookies, etc... Turns out is so much fun that people are selling them for $700, which I think is low...

ENISA promotes digital hacker traps - honeypots are powerful tools that CERTs (Computer Emergency Response Teams) can use to have "threat intelligence collected without any impact on production infrastructure". Amen to that, if you have your ducks in a row, deploy a honeypot today!

Top 5 Security Predictions for 2013 from ISF - This is the best advice ever: Organizations must prepare for the unpredictable so they have the resilience to withstand unforeseen, high impact events. Gee, thanks for that.

Larry's stories

Track students with RFID? Anonymous no likey - [Larry] - From the internet vigilantes division, A school in texas decides to track student movement (that sucks, BTW, and so much fun). A student refused to be tracked, and Anonymous took issue with the school. Tango Down…

YAY OSINT! - [Larry] - A neat new tool coming out of Kiwicon that utilizes keywords for monitoring various social media via API. Neat stuff!

Hotel lock fail in the wild - [Larry] - Remember that hotel lock break in method we've mentioned more than once in the past? Yeah, well, turns out a hotel in Houston suffered a number of breakins as a result of the vulnerability.

Allison's stuff

China hackers drive US software maker to the brink This is a fascinating article and an excellent read. Even though the article didn't provide many technical details it looked to me like the software company handled the attacks in the worst way possible. Why didn't they bring in outside help for the unexplained downtimes, or why didn't they investigate why revenues dropped with no explanation? Competent IT is hard to come by and I think that's what really burned this small business in the end.